UK Data Retention and Investigatory Powers Bill

Peter Fairbrother zenadsl6186 at zen.co.uk
Fri Jul 11 17:23:31 BST 2014 

On 11/07/14 14:51, Caspar Bowden (lists) wrote:
> On 07/11/14 15:31, Ian Batten wrote:
>> On 10 Jul 2014, at 21:14, Roland Perry
>> <lists at internetpolicyagency.com> wrote:
>>
>>> In article
>>> <CAK0b=2cu=0GrxSXoA8BedTPfseu0dBAv+qBxmOENd+vgYD17Qw at mail.gmail.com>,
>>> Tony Naggs <tony.naggs at googlemail.com> writes
>>>> I'm not really clear why a law change is required for communications
>>>> data to be held for 12 months. Probably most businesses will want to
>>>> hold this data for a year in order to address billing disputes & such
>>> Very few ISPs produce itemised bills saying who you emailed and when,
>>> or listing which web pages you went to in order to use up your
>>> 1GB/month.
>> I still don't follow (either technically or legally) on what basis
>> ISPs will be able to retain logs of which websites you visited.
>
> Up until now, I think the 2003 Code of Practice on ATCSA Retention - it
> is still in force
>
> DRIP 1(2)c now provides compulsion, of what was previously "voluntary"

No. DRIP ss.1(2)c only applies to "relevant" comms data, defined in ss.2(1):

""relevant communications data" means communications data of the kind
mentioned in the Schedule to the 2009 Regulations so far as such data
is generated or processed in the United Kingdom by public
telecommunications operators in the process of supplying the
telecommunications services concerned;"

That does *NOT* include website logs. There is a list of the types of 
data to which DRIP applies here:

http://www.legislation.gov.uk/ukdsi/2009/9780111473894/schedule

and of course it is exactly the same list as was in force before the 
ECtJ judgement.

However, there are a couple of minor caveats: subsections 2(2) and 
perhaps 2(3) modify that definition, and I don't know what they actually 
mean - anyone?








However, a Notice given under DRIP ss.1(1) can demand that data is kept 
forever - there is no time limit on it.

Reading the notes, this may be due to incompetence rather than a power 
grab: the notes envisage that some future Regulations  to be made under 
ss.1(3) will limit retention to 12 months.

However such Regulations do not exist at present [the notes say a draft 
of the regs will be available during the bill's passage - anyone know a 
link for this please?], and they can't be brought into force until the 
next session of Parliament anyway.

Further, there is nothing in DRIP which says they have to make any 
Regulations at all, or that those Regulations must include a maximum 
period for all retentions - only that any maximum period they do contain 
must not exceed 12 months.

I think a small amendment to ss.1(5) might cure this oversight, and not 
be too objectionable to anyone - just put the maximum time limit in the 
Act rather than in the Regulations (it probably belongs there anyway).







I think the most egregious part (apart from the fact that overall the 
Bill does nothing whatsoever to comply with the sentiments behind the 
ECtJ judgement), and the part to get most upset about, may well be 
section 5.


The notes say "This clause inserts a new subsection into section 2 of 
RIPA. New section 2(8A) makes clear that the definition of 
“telecommunications service” includes companies who provide 
internet-based services, such as webmail."


But it goes a whole lot further than that:

5 Meaning of "telecommunications service"
In section 2 of the Regulation of Investigatory Powers Act 2000 (meaning 
of "interception" etc), after subsection (8) insert--

(8A) For the purposes of the definition of "telecommunications service" 
in subsection (1), the cases in which a service is to be taken to 
consist in the provision of access to, and of facilities for making use 
of, a telecommunication system include any case where a service consists 
in or includes facilitating the creation, management or storage of 
communications transmitted, or that may be transmitted, by means of such 
a system.


which as far as I can see *IS* a major landgrab - it includes whole 
swathes of things which weren't included before.  Like web designers. 
for instance.

Or internet reporters.

And a Zillion more.


Again, it may be just incompetence rather than a deliberate landgrab; 
but as-is section 5 should most definitely not be included in the Act.

-- Peter Fairbrother

More information about the ukcrypto mailing list